[15257] in bugtraq
Re: local root on linux 2.2.15
daemon@ATHENA.MIT.EDU (Wojciech Purczynski)
Thu Jun 8 15:13:21 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0006081023450.1069-100000@alfa.elzabsoft.pl>
Date: Thu, 8 Jun 2000 10:31:33 +0200
Reply-To: Wojciech Purczynski <wp@ELZABSOFT.PL>
From: Wojciech Purczynski <wp@ELZABSOFT.PL>
X-To: Peter van Dijk <petervd@VUURWERK.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000608003814.A42233@vuurwerk.nl>
Procmail seems to be affected by this hole if used as local-mailer for
sendmail. If CAP_SETUID bit is cleared procmail doesn't drop privileges
and may execute luser's program that mail is forwarded to in
~user/.procmailrc with root privileges.
-wp
On Thu, 8 Jun 2000, Peter van Dijk wrote:
> I do not have complete info right now, but here's the scoop:
> Local users can gain root thru a _kernel_ bug in linux 2.2.15 and some
> earlier versions. This is fixed in 2.2.16pre6. Linux 2.0.x is not
> vulnerable, I do not know of any other vulnerable OSes.
>
> The bug is that is it somehow possible to exec sendmail without the
> CAP_SETUID priv, which makes the setuid() call that sendmail eventually
> does to drop privs, fail. Big chunks of code that were never meant to run
> as root then do run as root, which is ofcourse easily exploitable then.
>
> This is just about all the info I have, I do not have the exploit but I
> know that some black hats do have it. A couple of boxes already got
> completely trashed after being rooted through this hole, which is why I am
> making this public right now.
>
> I did not discover this bug, I only extrapolated from the small info I had:
> 'it has to do with capsuid' 'sendmail is vulnerable, crond is not'. Some
> reading of the kernel source then suggested the above to me, which has been
> confirmed by a more knowledgeable source.
>
> Greetz, Peter.
>
+--------------------------------------------------------------------+
| Wojciech Purczynski wp@elzabsoft.pl http://www.elzabsoft.pl/~wp |
| GSM: +48604432981 Linux Administrator SMS: wp-sms@elzabsoft.pl |
+------ Public GnuPG Key: http://www.elzabsoft.pl/~wp/gpg.asc ------+
